Merge pull request #313391 from mbender-ms/pr/mbender-ms/zta-networking-combined

[Networking] Add ZTA secure recommendation includes and articles

Author: AnnaMHuff

articles/networking/TOC.yml

@@ -64,6 +64,18 @@
       - name: Security controls by Azure Policy
         displayName: regulatory, compliance, standards, domains
         href: ./security-controls-policy.md
+      - name: Zero Trust network security
+        items:
+        - name: Zero Trust network security recommendations
+          href: security/zero-trust-network-security.md
+        - name: Azure DDoS Protection
+          href: security/zero-trust-ddos-protection.md
+        - name: Azure Firewall
+          href: security/zero-trust-azure-firewall.md
+        - name: Application Gateway WAF
+          href: security/zero-trust-application-gateway-waf.md
+        - name: Azure Front Door WAF
+          href: security/zero-trust-front-door-waf.md
     - name: Virtual networks
       href: ../virtual-network/virtual-networks-overview.md?toc=%2fazure%2fnetworking%2ftoc.json
     - name: Network load balancing

articles/networking/security/includes/25533.md

@@ -0,0 +1,23 @@
+---
+title: DDoS Protection is enabled for all public IP addresses in VNets
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-ddos-protection
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Distributed denial of service (DDoS) attacks aim to overwhelm application compute, network, or memory resources, rendering services inaccessible to legitimate users. Any public-facing endpoint exposed to the internet is a potential target. Azure DDoS Protection provides always-on monitoring and automatic mitigation against network-layer attacks targeting public IP addresses. Protection can be enabled through DDoS IP Protection directly on individual public IPs, or through DDoS Network Protection at the virtual network level via a DDoS protection plan. Without DDoS Protection, public IPs for services such as Application Gateways, Load Balancers, Azure Firewalls, Azure Bastion, Virtual Network Gateways, and virtual machines remain exposed to attacks that can exhaust bandwidth and system resources, causing cascading outages across dependent services. This check verifies that every public IP address is covered by DDoS protection through either approach.
+
+**Remediation action**
+
+- [Azure DDoS Protection overview](/azure/ddos-protection/ddos-protection-overview)
+- [Create and configure Azure DDoS Network Protection using the Azure portal](/azure/ddos-protection/manage-ddos-protection)
+- [Create and configure Azure DDoS IP Protection using the Azure portal](/azure/ddos-protection/manage-ddos-ip-protection-portal)
+- [Azure DDoS Protection SKU comparison](/azure/ddos-protection/ddos-protection-sku-comparison)

articles/networking/security/includes/25535.md

@@ -0,0 +1,23 @@
+---
+title: Outbound traffic from VNet-integrated workloads is routed through Azure Firewall
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Medium
+---
+Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. However, using Azure Firewall alone for outbound connectivity can lead to SNAT port exhaustion under high-traffic workloads. The recommendation is to deploy NAT Gateway alongside Azure Firewall — Azure Firewall handles outbound security inspection (threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement), while NAT Gateway provides scalable SNAT ports for the actual outbound traffic flow. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services, with NAT Gateway configured on the AzureFirewallSubnet to handle outbound translation. Without this combined approach, organizations risk either uninspected outbound traffic or SNAT port exhaustion leading to dropped connections. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+
+**Remediation action**
+
+- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#configure-routing)
+- [Manage route tables and routes](/azure/virtual-network/manage-route-table)
+- [Control App Service outbound traffic with Azure Firewall](/azure/app-service/network-secure-outbound-traffic-azure-firewall)
+- [Azure Firewall security rules](/azure/firewall/rule-processing)

articles/networking/security/includes/25537.md

@@ -0,0 +1,20 @@
+---
+title: Threat intelligence is enabled in deny mode on Azure Firewall
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Firewall Threat Intelligence-based filtering alerts and denies traffic from and to known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When enabled, Azure Firewall evaluates traffic against threat intelligence rules before applying network address translation (NAT), network, or application rules. This check verifies that Threat Intelligence is enabled in "Alert and deny" mode in the Azure Firewall policy. Without this feature enabled, the environment remains exposed to known malicious IPs, domains, and URLs, creating risk of compromise or data exfiltration.
+
+**Remediation action**
+
+- [Azure Firewall threat intelligence configuration](/azure/firewall-manager/threat-intelligence-settings)

articles/networking/security/includes/25539.md

@@ -0,0 +1,21 @@
+---
+title: IDPS inspection is enabled in deny mode on Azure Firewall
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Firewall Premium offers signature-based Intrusion Detection and Prevention System (IDPS) to detect attacks by identifying specific patterns such as byte sequences in network traffic or known malicious instruction sequences used by malware. IDPS signatures apply to both application and network-level traffic at Layers 3-7, are fully managed and continuously updated, and can be applied to inbound, spoke-to-spoke, and outbound traffic including traffic to and from on-premises networks. This check verifies that IDPS is enabled in "Alert and deny" mode in the Azure Firewall policy. If IDPS is disabled or in "Alert" only mode, malicious patterns in network traffic are not actively blocked.
+
+**Remediation action**
+
+- [Azure Firewall Premium features implementation guide](/azure/firewall/premium-features)
+- [Azure Firewall features by SKU](/azure/firewall/choose-firewall-sku)

articles/networking/security/includes/25541.md

@@ -0,0 +1,21 @@
+---
+title: Application Gateway WAF is enabled in prevention mode
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-web-application-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Application Gateway Web Application Firewall (WAF) protects web applications from common exploits and vulnerabilities such as SQL injection, cross-site scripting, and other Open Worldwide Application Security Project (OWASP) Top 10 threats. WAF operates in two modes: Detection mode evaluates incoming requests and logs matches but does not block traffic, while Prevention mode evaluates requests and actively blocks malicious requests that violate WAF rules. Running WAF in Prevention mode is crucial for actively protecting applications against common web attacks. If WAF is in Detection mode, malicious traffic is only logged and not prevented, leaving applications exposed to exploitation.
+
+**Remediation action**
+
+- [Configure WAF on Azure Application Gateway](/azure/web-application-firewall/ag/ag-overview#waf-modes)
+- [Create and manage WAF policies for Application Gateway](/azure/web-application-firewall/ag/create-waf-policy-ag)

articles/networking/security/includes/25543.md

@@ -0,0 +1,21 @@
+---
+title: Azure Front Door WAF is enabled in prevention mode
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-web-application-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Front Door Web Application Firewall (WAF) protects web applications from common exploits and vulnerabilities such as SQL injection, cross-site scripting, and other Open Worldwide Application Security Project (OWASP) Top 10 threats at the network edge. WAF operates in two modes: Detection mode evaluates incoming requests and logs matches but does not block traffic, while Prevention mode evaluates requests and actively blocks malicious requests that violate WAF rules. Running WAF in Prevention mode is crucial for actively protecting applications against common web attacks. If WAF is in Detection mode, malicious traffic is only logged and not prevented, leaving applications exposed to exploitation.
+
+**Remediation action**
+
+- [Configure WAF for Azure Front Door](/azure/web-application-firewall/afds/afds-overview)
+- [Policy settings for WAF in Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-policy-settings#waf-mode)

articles/networking/security/includes/25550.md

@@ -0,0 +1,25 @@
+---
+title: Inspection of outbound TLS traffic is enabled on Azure Firewall
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Firewall Premium provides Transport Layer Security (TLS) inspection to decrypt, inspect, and re-encrypt outbound and east-west encrypted traffic using a customer-provided certificate authority (CA) certificate stored in Azure Key Vault. TLS inspection enables advanced security capabilities including Intrusion Detection and Prevention System (IDPS) and URL filtering to analyze encrypted traffic and identify threats that use encrypted channels to evade detection. Without TLS inspection enabled, the firewall cannot inspect encrypted payloads, significantly limiting visibility into threats that leverage TLS to bypass traditional security controls.
+
+**Remediation action**
+
+- [Enable TLS inspection in Azure Firewall Premium](/azure/firewall/premium-features#tls-inspection)
+- [Deploy certificates with enterprise CA for Azure Firewall Premium TLS inspection](/azure/firewall/premium-deploy-certificates-enterprise-ca)
+- [Create and configure intermediate CA certificates for TLS inspection](/azure/firewall/premium-certificates)
+- [Store certificates in Azure Key Vault for TLS inspection](/azure/key-vault/certificates/certificate-scenarios)
+- [Configure application rules with TLS inspection in Azure Firewall policy](/azure/firewall/tutorial-firewall-deploy-portal-policy)
+- [Azure Firewall features by SKU](/azure/firewall/choose-firewall-sku)

articles/networking/security/includes/26879.md

@@ -0,0 +1,22 @@
+---
+title: Request body inspection is enabled in Application Gateway WAF
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-web-application-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Application Gateway Web Application Firewall (WAF) provides centralized protection for web applications against common exploits and vulnerabilities at the regional level. Request body inspection allows the WAF to analyze HTTP POST, PUT, and PATCH request bodies for malicious patterns including SQL injection, cross-site scripting, and command injection payloads. When request body inspection is disabled, threat actors can embed malicious content within form submissions, API calls, or file uploads that bypass all WAF rule evaluation. This creates a direct path to exploitation where attackers gain initial access through unprotected endpoints, execute arbitrary commands against backend databases, exfiltrate sensitive data, and pivot to internal systems. The WAF's managed rule sets, including Open Worldwide Application Security Project (OWASP) Core Rule Set and Microsoft Bot Manager rules, cannot evaluate threats they cannot see, rendering these protections ineffective against common body-based attack vectors.
+
+**Remediation action**
+
+- [Azure Web Application Firewall on Azure Application Gateway overview](/azure/web-application-firewall/ag/ag-overview)
+- [Create Web Application Firewall policies for Application Gateway](/azure/web-application-firewall/ag/create-waf-policy-ag) including request body inspection settings
+- [Application Gateway WAF FAQ and tuning best practices](/azure/web-application-firewall/ag/application-gateway-waf-faq)

articles/networking/security/includes/26880.md

@@ -0,0 +1,22 @@
+---
+title: Request body inspection is enabled in Azure Front Door WAF
+ms.author: joflore
+author: MicrosoftGuyJFlo
+ms.service: azure-web-application-firewall
+ms.topic: include
+ms.date: 03/10/2026
+ms.custom: Network-Secure-Recommendation
+# minimumlicense: unknown
+# sfipillar: Protect networks
+# category: Azure Network Security
+# risklevel: High
+# userimpact: Low
+# implementationcost: Low
+---
+Azure Front Door Web Application Firewall (WAF) provides centralized protection for web applications against common exploits and vulnerabilities. Request body inspection allows the WAF to analyze HTTP POST, PUT, and PATCH request bodies for malicious patterns including SQL injection, cross-site scripting, and command injection payloads. When request body inspection is disabled, threat actors can embed malicious content within form submissions, API calls, or file uploads that bypass all WAF rule evaluation. This creates a direct path to exploitation where attackers gain initial access through unprotected endpoints, execute arbitrary commands against backend databases, exfiltrate sensitive data, and pivot to internal systems. The WAF's managed rule sets, including Open Worldwide Application Security Project (OWASP) Core Rule Set and Microsoft's threat intelligence-based rules, cannot evaluate threats they cannot see, rendering these protections ineffective against common body-based attack vectors.
+
+**Remediation action**
+
+- [Azure Web Application Firewall on Azure Front Door overview](/azure/web-application-firewall/afds/afds-overview)
+- [Policy settings for Web Application Firewall on Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-policy-settings) including request body inspection configuration
+- [Tuning Azure Web Application Firewall for Azure Front Door](/azure/web-application-firewall/afds/waf-front-door-tuning)